Privacy policy

Translation provided for convenience

Only the French version is legally binding. In case of any discrepancy or conflict in interpretation, the French version shall prevail.

View French version

Last updated: July 2026

1. Data controller

HEXAI (SAS with a share capital of EUR 10,000) — 203 Chemin des Vignobles, 74210 Doussard, France.

Contact: contact@tresorus.fr

2. Data collected

In connection with the use of Tresorus, we may collect:

  • Account data (where an account is created): email address, username, postal code
  • Geolocation data (consent required): GPS position only during gameplay, processed in real time and not stored on our servers
  • Progress data: completed trails, badges earned, scores
  • Technical data: device type, operating system, application version
  • Push notification token (optional): only if you enable notifications

3. Purposes and legal bases

  • Performance of the contract: provision of the treasure hunt service (account, progress, badges)
  • Consent: GPS geolocation, push notifications
  • Consent (cookies): audience measurement via analytics cookies (see section 5)
  • Legitimate interest: sending service information emails (news, new quests) to account holders. You can object at any time, in particular via the unsubscribe link included in every email (art. 6(1)(f) and 21 GDPR)
  • Consent (partner local authorities): transfer of your email address and postal code to the partner local authorities that fund the quests, so that you can receive their family news. This consent is explicit, collected quest by quest, and the local authority concerned is named at the time of your choice (art. 6(1)(a) GDPR)

4. Data sharing

Your data is never sold. It may be shared with our technical sub-processors:

  • Supabase (database hosting) — European Union servers
  • Cloudflare (media storage) — global network, protected by Standard Contractual Clauses (SCCs)
  • Vercel (website hosting) — United States, certified under the EU-US Data Privacy Framework
  • PostHog (analytics) — European Union servers, only if you accept analytics cookies
  • Sentry (error monitoring, mobile application) — United States, certified under the EU-US Data Privacy Framework
  • Expo / Google Firebase (push notifications) — United States, certified under the EU-US Data Privacy Framework (Google)
  • Resend (email delivery) — United States, transfers governed by Standard Contractual Clauses (SCCs)

Partner local authorities: if you gave your consent when starting a quest funded by a partner local authority, we transfer your email address and postal code to that authority so it can send you its family news. Only users who have given their consent are concerned. Unlike our sub-processors, the local authority then processes this data under its own responsibility: it manages its own mailings and their unsubscription itself.

5. Cookies

The Tresorus website uses two types of cookies:

  • Strictly necessary cookies: management of the authentication session (Supabase). These cookies are essential for the operation of the service and do not require your consent.
  • Analytics cookies (PostHog): audience measurement and improvement of the service. These cookies are only set with your prior consent via the cookie banner. You may change your choice at any time:

6. International transfers

Some of your data may be transferred outside the European Union to our sub-processors located in the United States. These transfers are governed by:

  • The EU-US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023) for Vercel, Sentry and Google/Firebase
  • Standard Contractual Clauses (SCCs) approved by the European Commission for Cloudflare and Resend

Your main data (account, progress, badges) is hosted by Supabase on servers located within the European Union.

7. Retention period

  • Account data: retained as long as the account is active, then deleted after 5 years of inactivity
  • Geolocation data: not retained after the gameplay session
  • Analytics cookies: 13 months maximum
  • Proof of consent to sharing with partner local authorities: 5 years after withdrawal of consent or account deletion, then purged
  • Information email sending history (address, subject, status): retained as long as the account is active, deleted immediately if the account is deleted

8. Your rights (GDPR)

In accordance with the GDPR, you have the following rights:

  • Access: obtain a copy of your data
  • Rectification: correct inaccurate data
  • Erasure: request the deletion of your data
  • Portability: retrieve your data in a structured format
  • Objection: object to the processing of your data
  • Restriction: request the restriction of processing
  • Withdrawal of consent: withdraw your consent at any time (cookies, notifications, geolocation, sharing with partner local authorities) without affecting the lawfulness of prior processing

For sharing with partner local authorities: you can withdraw your consent at any time from the "My communications" screen of your profile in the app, which stops any future transfers. For emails already sent by a local authority, use the unsubscribe link included in its emails.

For information emails sent by Tresorus (news, new quests): every email contains a one-click unsubscribe link. You can also exercise this right to object by writing to contact@tresorus.fr.

To exercise these rights, please contact us at contact@tresorus.fr. We will respond within 30 days.

9. Professional forms (local authorities and private venues)

The "Collectivités" and "Sites privés" pages of our website offer a funding simulator and a contact form intended for professionals (elected officials, public servants, tourist venue managers). If you submit this form:

  • Data processed: professional email address, name of the municipality or organisation, role, phone number (optional), your simulator answers (type of organisation, territory, department) and an anti-spam token (Cloudflare Turnstile).
  • Purposes: contacting you back about your request, sending you the requested documents (deliberation kit) and following up on your project.
  • Legal bases: your consent (checkbox, art. 6.1.a GDPR) and our legitimate interest in responding to a professional enquiry (art. 6.1.f GDPR).
  • Recipients: the Tresorus team only, through our technical processors (Supabase — EU hosting, Resend — email delivery, Cloudflare Turnstile — anti-spam protection).
  • Retention period: 36 months after your last contact with us (CNIL reference period for prospect data), then deleted.

You may exercise the rights described in section 8 at any time, including withdrawing your consent by writing to contact@tresorus.fr.

10. The Grand Trophée des Alpes du Nord (vote)

The Grand Trophée des Alpes du Nord is a free prize draw, by vote, for your favourite destination or ski resort in Savoie, Haute-Savoie and Isère. The destination drawn at random — among those reaching at least 1% of the votes, the draw being weighted by votes — is where Tresorus will set its next treasure hunt: it is neither a prize nor a gift granted to a local authority. The vote is anonymous in its content (we never link it to your identity) and pseudonymous in its technical control (duplicate prevention); we never describe it as "100% anonymous".

  • Data processed: the chosen destination or resort, its type (town or resort), the vote date to the day, and a pseudonymous device identifier (an HMAC-SHA256 fingerprint computed server-side with a secret key that is never stored, based on an identifier dedicated to the contest and separate from analytics) used solely to prevent duplicate votes.
  • Purpose: ensure the integrity of the ranking (one vote per device) and display an indicative ranking.
  • Legal basis: legitimate interest (art. 6(1)(f) GDPR) — the reliability of a public ranking, with minimised, non-identifying data.
  • Abuse prevention: your IP address is processed transiently (rate limiting), without being stored or linked to your vote.
  • Sharing proof (private accounts): if you voluntarily send us a screenshot by private message to evidence your share, we only view it for the time needed to verify it and keep no copy.
  • Retention period: votes (with the pseudonymous device identifier) are kept until about 3 months after the contest ends, after which the identifier is deleted — the remaining votes can no longer be linked to a device.

No geolocation data is collected for the vote. The counter shown in the app and on the website is indicative. Full terms are set out in the contest rules.

11. Tresorus 2026 Observatory Survey

The Tresorus 2026 Family Observatory is a survey offered to application users. It is entirely optional and initiated voluntarily by the user from within the app.

  • Data collected: anonymous response codes (all 4 answers are codes, no free text), invitation channel (entry_point: email, push notification, or profile), application language (locale), application version (app_version). No other personal data is collected.
  • Statistical and commercial purpose: to build an anonymised aggregate of usage patterns and preferences among Tresorus families, then produce an aggregated study — "Tresorus 2026 Family Observatory" — presented to local authorities to support the funding of new quests. No individual data is transmitted to local authorities: only aggregated and anonymised statistics are shared with them.
  • Legal basis: legitimate interest (art. 6(1)(f) GDPR) for processing the anonymised aggregate; consent (art. 6(1)(a) GDPR) collected at the moment the user voluntarily decides to take part in the survey from within the app, the statistical and commercial purpose being displayed on the introduction screen before any participation.
  • Retention period: responses are kept for 3 years from collection, then deleted. Responses linked to an account are automatically deleted when the account is deleted (foreign key constraint with cascade deletion).
  • Your rights: you have the rights of access, rectification, objection, and erasure. Deleting your account automatically purges all your survey responses. To exercise your rights, contact us at contact@tresorus.fr.

12. Complaint

You may lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés — French Data Protection Authority).